{"id":20323518,"url":"https://github.com/randomvariable/kms-cryptsetup","last_synced_at":"2025-04-11T19:31:06.870Z","repository":{"id":71225877,"uuid":"111313274","full_name":"randomvariable/kms-cryptsetup","owner":"randomvariable","description":"Encrypt your on-premise server disks and save the keys in the cloud securely","archived":false,"fork":false,"pushed_at":"2018-09-16T23:25:30.000Z","size":7530,"stargazers_count":75,"open_issues_count":0,"forks_count":6,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-25T15:21:15.909Z","etag":null,"topics":["aws","clearlinux","coreos","cryptsetup","dm-crypt","dmcrypt","dynamodb","kms"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/randomvariable.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-11-19T16:41:21.000Z","updated_at":"2025-01-02T00:56:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"7b952169-c84b-4018-9fc5-bfd9a9c292af","html_url":"https://github.com/randomvariable/kms-cryptsetup","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/randomvariable%2Fkms-cryptsetup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/randomvariable%2Fkms-cryptsetup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/randomvariable%2Fkms-cryptsetup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/randomvariable%2Fkms-cryptsetup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/randomvariable","download_url":"https://codeload.github.com/randomvariable/kms-cryptsetup/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248466823,"owners_count":21108545,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","clearlinux","coreos","cryptsetup","dm-crypt","dmcrypt","dynamodb","kms"],"created_at":"2024-11-14T19:28:28.191Z","updated_at":"2025-04-11T19:31:06.823Z","avatar_url":"https://github.com/randomvariable.png","language":"Go","readme":"kms-cryptsetup\n==============\n\nLet's you encrypt on-premise disks and securely store the keys in DynamoDB\nusing KMS.\n\nDesign\n------\n`kms-cryptsetup` can be used on stateless systems like CoreOS or Intel Clear\nLinux.\n\nIt uses SMBIOS IDs and disk serial numbers to uniquely identify computers\nand disks and retrieve encryption keys from DynamoDB, which are in turn\nencrypted using the AWS Key Management Service.\n\nEach computer has an IAM user account with fine grained access control to\ntheir key prefix in DynamoDB.\n\nYou also provide individual grants to each computer to decrypt records in\nDynamoDB. These can be revoked and reinstated at any time, and provide an\nalternative to using hardware devices like TPMs or Yubikeys which could\npotentially be physically stolen together with the hard disk.\n\n\nSetup\n---\n\n```\nAWS_REGION=\u003cregion\u003e ./kms-cryptsetup # lists available commands\n```\n\n## Create the DynamoDB table\n\n`kms-cryptsetup` uses a DynamoDB table called `kms-cryptsetup` to store keys.\nCreate this using:\n\n```\nAWS_REGION=\u003cregion\u003e ./kms-cryptsetup create-table\n```\n\n## Grant the computer access\nInstall/copy `kms-cryptsetup` to the target computer and run:\n\n```\nAWS_REGION=\u003cregion\u003e ./kms-cryptsetup computer-context\n```\n\nwhich should print something like:\n```\nsupermicrozaaaaaaaa000000000000000000000aaaaaaaaaa\n```\n\nThis is determined from the following DMI values:\n* The motherboard vendor\n* The motherboard serial number\n* The motherboard product UUID\n\nIf these keys are not available, you can specify these manually in the next steps.\n\nOn your workstation, given some AWS credentials, run:\n\n```\nAWS_REGION=\u003cregion\u003e ./kms-cryptsetup grant-computer -c \u003ccomputer context from above\u003e\n```\n\nIf this is a new IAM user, the tool will print the AWS Access Key and Secret Access Key\nto be installed to `/root/.aws/credentials` or used as environment variables on the target\nsystem.\n\n## Encrypt a disk\n\n`kms-cryptsetup` can pass the relevant parameters to `cryptsetup` with the following defaults:\n\n```\ncryptsetup --allow-discards --cipher aes-xts-plain64 --key-file - --key-size 256 open --type plain /dev/\u003ctarget device\u003e /dev/mapper/dmcrypt-\u003cdevice\u003e\n```\n\nTo do this, run:\n```\nAWS_REGION=\u003cregion\u003e ./kms-cryptsetup encrypt-disk -d \u003cdevice\u003e\n```\n\n## Run a custom command\nTo use your own cryptsetup command line, use the following\n\n```\nAWS_REGION=\u003cregion\u003e ./kms-cryptsetup output-key -d \u003cdevice\u003e | crypsetup \u003coptions\u003e\n```\n\n## Revoke a computer's access\n\nThis will revoke a computer's access. This can be restored at any time using\n`grant-computer`. Access Keys do not need to be rotated for this to work.\n\n```\nAWS_REGION=\u003cregion\u003e ./kms-cryptsetup revoke-computer -c \u003ccomputer context\u003e\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frandomvariable%2Fkms-cryptsetup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frandomvariable%2Fkms-cryptsetup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frandomvariable%2Fkms-cryptsetup/lists"}